Light Dark
March 9, 2023 By Doug Bonderud 4 min read
Incident Response
Risk Management
Security Services

A red teamer is a cybersecurity professional that works to help companies improve IT security frameworks by attacking and undermining those same frameworks, often without notice.

The term “red teaming” is often used interchangeably with penetration testing. While the terms are similar, however, there are key distinctions. First and foremost is the lack of notice from red teams. Pen testing may be scheduled in advance to assess the ability of specific security measures to handle a simulated attack; red team exercises are carried out with no warning. This, in turn, forces company IT teams to respond as if red team efforts were a real attack.

The history of red teams

Red teams began with the military to evaluate the efficacy of strategies against enemies without engaging in actual combat.

By creating a red team tasked with attacking the so-called blue team using whatever tactics they deemed most effective, military organizations were able to pinpoint problems before they reached the battlefield, in turn helping to reduce the risk of personnel and material loss.

Over time, the term red team came to refer to a business using internal resources to assess current defensive readiness.

How in-demand is this role, and why?

Much like other cybersecurity jobs, red teamers are in-demand. Consider data from the U.S. Bureau of Labor Statistics, which notes that information security analyst roles — which include red team members — are in high demand, growing at a rate of 35% over the next 10 years. A quick search of job sites such as Indeed or ZipRecruiter reveals hundreds of open red team positions nationwide.

The continued popularity of this role should come as no surprise, given the evolving nature of cybersecurity threats. From the growth of Ransomware-as-a-Service (RaaS) marketplaces to the ongoing success of attacker standbys such as phishing, security is never a “solved” problem for organizations.

Red teamers provide a way for companies to test their defenses in (nearly) real-world conditions. By allowing red teams to conduct attacks without warning, enterprises can see how their existing security practices work in response to emerging threats.

For example, red teams may attempt social engineering techniques to gain user credentials and access network services undetected. If successful, these mock attacks allow companies to address security weak points before attackers can exploit them. These red team efforts also help highlight areas of confirmation bias, where collective belief in the efficacy of a security system leads to incorrect assumptions about its ability to defend against actual threats.

Learn More on X-Force Red  

What qualifications do red teamers need?

There’s a growing need for red teamers, and many companies choose to upskill existing staff to bridge the security gap. As a result, there are no standardized certification paths for red teamers.

Instead, several popular security qualifications can help prospective red team members better understand attackers and create effective compromise strategies. These include:

CompTIA Security+

This entry-level certification is a great introduction to common security practices and protocols. It also helps set the stage for more advanced qualifications.

CompTIA PenTest+

This qualification focuses on the practice of penetration testing. It assesses the ability of IT professionals to plan and scope penetration testing efforts, understand any related legal or compliance concerns and create written reports based on their findings.

Certified Ethical Hacker (CEH)

CEH provides professionals with the best practices necessary to carry out simulated attacks in such a way that they appear real but don’t fundamentally damage corporate systems.

Certified Cloud Penetration Tester (CCPT)

With the cloud now a critical part of business operations, CCPT is a sought-after designation to help companies build red teams capable of testing security measures across both local and off-site IT environments.

Certified Red Teams Operations Professional (CRTOP)

CRTOP certification holders are often red team leaders. This advanced qualification provides the knowledge and skills necessary to monitor and manage red team progress and keep defenders on their toes.

What are the primary responsibilities of this role?

Red team members aim to develop and deploy attacks that appear real and force security teams to respond ASAP.

In practice, this means finding and assessing security weak points, choosing appropriate attack vectors and carrying out a controlled attack that attempts to evade detection or capture. For example, red teams might start with a phishing campaign to obtain employee credentials. Then, they may leverage these credentials to gain system access and move laterally across network services until they can access sensitive data.

Once there, red teams may encrypt this information and demand a ransom. Once they’ve reached this end goal, the simulated attack ends and they return the data to company control. Teams then write up reports about how the attack was carried out, where they were able to compromise current defenses and what steps should be taken to improve overall protection.

Who is in charge of red teams?

In most cases, red teams report directly to the CISO. They may be given direction from the CISO on creating attacks or testing specific parts of corporate security frameworks. However, red teams also enjoy a significant level of autonomy when it comes to designing and carrying out attacks.

It makes sense. If the CISO knew what was coming, they might unintentionally share information with incident response teams that could reduce the efficacy of red team efforts. Ideally, a red team attack should look exactly like its real-world counterpart and prompt the same response from security teams. The only difference is the end game. Instead of encrypting and ransoming data for profit, red teams return control of systems to security professionals and prepare a report on what worked, what didn’t and what needs to improve.

Considering a cybersecurity career switch? Red teamers are on the rise as enterprises look to shore up defenses against evolving and unexpected attacks.

 |  |  |  | 
Doug Bonderud
Writer

More from Incident Response
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

March 6, 2024

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature